fcontext nightmare - Help please?
Tom London
selinux at gmail.com
Mon Sep 17 14:06:57 UTC 2012
On Mon, Sep 17, 2012 at 6:51 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/16/2012 09:00 PM, Tom London wrote:
>> On Mon, Aug 20, 2012 at 2:59 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> On 08/19/2012 04:24 PM, Tom London wrote:
>>>>> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift
>>>>> <dominick.grift at gmail.com> wrote:
>>>>>> You might want to check out the semanage --equiv option. (man
>>>>>> semanage)
>>>>>>
>>>>>> That basically allows you to alias existing file context
>>>>>> structures:
>>>>>>
>>>>>> heres an example from man semanage:
>>>>>>
>>>>>> For home directories under top level directory, for example
>>>>>> /disk6/home, execute the following commands. # semanage fcontext -a
>>>>>> -t home_root_t "/disk6" # semanage fcontext -a -e /home /disk6/home
>>>>>> # restorecon -R -v /disk6
>>>>>>
>>>>>> so in your case you might want to make /data equivalent to / or
>>>>>> something
>>>>>>
>>>>>> semanage fcontext -a -e / /data restorecon -R -v -F /data
>>>>>>
>>>>>> That should label /data root_t, /data/var var_t, /data/var/lib
>>>>>> var_lib_t etc.
>>>>>>
>>>>>> just as if it was your main file system.
>>>>>>
>>>>>
>>>>> So this sounds exactly what i would like to do with my Luks encrytped
>>>>> USB back up drive.
>>>>>
>>>>> Unfortunately, I'm stumbling across the fact that the drive is
>>>>> 'automagically' mounted (when I login or power it on), and it gets
>>>>> mounted on /run/media/tbl/Backup1TB:
>>>>>
>>>>> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on
>>>>> /run/media/tbl/Backup1TB type ext4
>>>>> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uhelper=udisks2)
>>>>>
>>>>> The 'semanage -e' command spews:
>>>>>
>>>>> [root at tlondon ~]# semanage fcontext -a -e /
>>>>> /run/media/tbl/Backup1TB/X200 /sbin/semanage: File spec
>>>>> /run/media/tbl/Backup1TB/X200 conflicts with equivalency rule '/run
>>>>> /var/run'; Try adding '/var/run/media/tbl/Backup1TB/X200' instead
>>>>> [root at tlondon ~]#
>>>>>
>>>>> Appears that '/var/run/media' doesn't exist on my system (I guess
>>>>> /run and /var/run are not really 'equivalent'?).
>>>>>
>>>>> This an issue with my system (e.g., do I need an explicit entry in
>>>>> fstab or some such)? With the scaffolding that deals with /run and
>>>>> /var/run? Other? Should this work?
>>>>>
>>>>> Thanks, tom
>>>>>
>> Yes it is telling you about a double equivalence. systemd guys have
>> suggested that we reverse the equivalence. since /var/run does not really
>> exist anymore, they suggested we move to /var/run -> /run rather then what
>> we currently have /run -> /var/run. My concern with this switch would be
>> if users/package developers had already added file context for /var/run
>>
>> So I tried this to work around the 'one-level equivalence detection':
>>
>> [root at tlondon ~]# mount --bind /run/media/tbl/Backup1TB/X200/ /mnt
>> [root at tlondon ~]# semanage fcontext -a -t root_t /mnt [root at tlondon ~]#
>> semanage fcontext -a -e / /mnt [root at tlondon ~]# restorecon -v -R /mnt
>> restorecon reset /mnt context
>> system_u:object_r:admin_home_t:s0->system_u:object_r:root_t:s0 restorecon
>> reset /mnt/.tcshrc context
>> staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
>> restorecon reset /mnt/run context
>> staff_u:object_r:admin_home_t:s0->staff_u:object_r:var_run_t:s0 restorecon
>> reset /mnt/enable-unconfined context
>> unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:etc_runtime_t:s0
>>
>>
> restorecon reset /mnt/.lesshst context
>> staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
>> <<<<<SNIP>>>>> <<<<<Lots of relabelling here>>>>> restorecon reset
>> /mnt/var/cache/krb5rcache context
>> staff_u:object_r:var_t:s0->staff_u:object_r:krb5_host_rcache_t:s0
>> restorecon reset /mnt/var/cache/jetty context
>> system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon
>> reset /mnt/var/cache/jetty/temp context
>> system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon
>> reset /mnt/var/cache/httpd context
>> staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 restorecon
>> reset /mnt/var/cache/httpd/proxy context
>> staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 [root at tlondon
>> ~]#
>>
>> I checked a few relabelled files, and the contexts seem correct, for
>> example: restorecon reset /mnt/usr/share/jetty/bin/jetty.sh context
>> staff_u:object_r:bin_t:s0->staff_u:object_r:httpd_exec_t:s0
>>
>>
>> I should have used something other than '/mnt', of course. And since the
>> drive is not persistently mounted, I'm thinking of wrapping the 'rsync'
>> command with 'semanage' commands that temporarily add/delete the mappings.
>>
>> Am I correct in assuming that the way to do this is (presuming bind mount
>> the mounted path to '/backup'):
>>
>>
>> semanage fcontext -a -t root_t /backup semanage fcontext -a -e / /backup
>>
>> rsync ..... lots of options
>>
>> semanage fcontext -d -e / /backup semanage fcontext -d -t root_t /backup
>>
>>
>> That seem right?
>>
>> Thanks! tom
>>
>
> I would figure
>
> /backup/run/blah or /backup/usr/lib64 might be labeled differently then /run
> and /usr/lib64.
>
> Since only one substitution would happen. You would really need to do all of
> the substitutions again.
>
> /backup/run == /var/run
> /backup/usr/lib64 == /usr/lib
> ...
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBXKvoACgkQrlYvE4MpobNRdgCgvmALwQjwpB+oEB2l2a6akHF9
> rwkAniexDIyfYtm4IUlvYeCTs7c9gIUu
> =1igJ
> -----END PGP SIGNATURE-----
Argh.... Of course.
Ignore above....
tom
--
Tom London
More information about the selinux
mailing list